The Hard Lessons Learned by Analyzing Education Sector Cyberattacks

In the last quarter of 2025, LevelBlue SpiderLabs used telemetry from the LevelBlue Fusion platform to decipher the techniques threat groups used to gain access to targets in the education sector.

The three most common practices observed were credential access, execution, and initial access. Each of these categories contains several different sub-methodologies that attackers employed.

Credential Access

Credential access is exactly what it sounds like and was the most common tactic spotted being used in about 30% of all attacks SpiderLabs tracked. Essentially, adversaries use different methods to obtain legitimate usernames, passwords, and other data that will allow them to gain access to a system in the same manner as a regular user.

By far the most common way to obtain credentials was through brute force (T1110 in the MITRE ATT&CK framework) attacks, which accounted for 96% of all incidents. This is followed by credential dumping (T1003) and stealing, 3%, and forging Kerberos tickets (T1558).

Attackers conducting brute-force campaigns often begin with extensive reconnaissance, gathering valid usernames through public sources such as institutional directories, social media profiles, research publications, and leaked credential databases. These harvested credentials are then systematically tested against public-facing authentication portals, learning management systems, email platforms, and administrative interfaces.

While many institutions have implemented multi-factor authentication (MFA) for VPN access, attackers may still find opportunities to circumvent these controls through techniques such as MFA fatigue attacks, exploiting weak enrollment or reset procedures, and targeting accounts with MFA exemptions.

Once attackers successfully authenticate through compromised credentials, they gain a foothold for conducting internal network reconnaissance, privilege escalation, and lateral movement - ultimately leading to data exfiltration or broader system compromise.

Execution

The second most popular method for gaining access was execution tactics, used 27.4 percent of the time. These, arguably more technically demanding processes, are Command and Scripting Interpreter (T1059), User Execution (T1204), and Windows Management Instrumentation (T1047).

Command and Scripting Interpreter was found to be used 58.6% of the time, User Execution, 38.6%, and Windows Management Instrumentation, 2.8%.

Each of these takes a different path to the same result. Obtaining privileged information.

The Command and Scripting Interpreter detects malicious use of PowerShell commands or scripts, often initiated by unsuspecting users who fall for fake updates and CAPTCHA campaigns.

Fake updates and fake CAPTCHA campaigns remain among the most prevalent infection vectors across industries. These campaigns typically deploy infostealers designed to harvest credentials, browser data, and authentication tokens, which are then sold on underground markets or leveraged by threat actors in subsequent ransomware attacks and network intrusions.

Educational institutions face particular vulnerability to these campaigns, as students, faculty, and staff regularly interact with web-based platforms and may be less cautious when encountering what appear to be routine system updates or security checks.

User Execution involves an attacker tricking a user into performing an action, like clicking a malicious link or opening a malicious file, to initiate code execution, often through phishing. According to MITRE, threat actors may also deceive users into performing actions such as:

• Enabling Remote Access Tools, allowing direct control of the system to the adversary
• Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookie.
• Downloading and executing malware for User Execution
• Coercing users to copy, paste, and execute malicious code manually

Since the Windows Management Instrumentation service enables local and remote access, it enables an attacker to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as executing commands and payloads.

Initial Access

Initial Access was the third most tracked method, being spotted in 17% of security incidents in the education sector.

Phishing (T1566) was the predominant technique, being used in 91.7% of the cases. Exploiting Public Facing Accounts (T1190) and Valid Accounts (T1078) were the other two tracked at 4.5% and 3.8%, respectively.

Phishing, as the cybersecurity sector and most of the general populace know, is scam emails sent to an unsuspecting person that contain malicious links or information designed that use social engineering to entice the recipient into unknowingly help the attacker.

Breaking Down a Single Attack

On 18 December 2025, the University of Sydney notified its community of a cybersecurity breach in which historical data relating to certain members of our community had been accessed. It is believed that about 27,500 records were exposed.

Threat actors leveraged access to a code library used for code storage and development. A number of data files containing personal information were also located in the library. As the university stated in the press note, these historical data files were primarily used for testing purposes when the code was developed. The compromised data included personal information of approximately 10,000 current and 12,500 former staff members and affiliates, about 5,000 alumni and students, and six supporters.

As per OSINT analysis performed by SpiderLabs, the code library accessed by threat actors was likely a GitHub repository, suggesting that either a supply-chain attack or user account compromise could have been used for initial access. The fake CAPTCHA campaigns described in the previous chapter are common infection sources for student and staff accounts, and attackers may leverage the compromised endpoints to access internal resources.

Mitigations

There are measures that can be put in place to prevent attacks similar to what hit the University of Sydney and others using the techniques mentioned above.

• All database backups should be encrypted at rest using strong encryption, with encryption keys stored separately from the encrypted data in secure key management systems.
• Regular repository audits and automated secret scanning should be implemented to detect and remediate any policy violations before they result in data exposure.
• Educational institutions should implement robust network segmentation to limit lateral movement opportunities and restrict student access to only necessary resources based on their academic role.
• Regular repository audits and automated secret scanning should be implemented to detect and remediate any policy violations before they result in data exposure.
• Continuous threat hunting activities should also focus on detecting malicious activities within code repositories, as threat actors may leverage compromised access to inject malicious code into institutional applications, research tools, or shared libraries.
• Regular penetration testing of internal applications should be conducted by authorized security professionals to identify potential entry points and vulnerabilities that attackers could exploit. Given the unique environment of educational institutions, these assessments are particularly critical.

By analyzing recent cyberattacks in the education sector, we can see that threat actors continue to rely on credential access, execution, and initial access techniques to compromise institutions.

These incidents demonstrate how vulnerabilities can result in significant data exposure. To mitigate these risks, educational organizations must employ strong encryption, robust access controls, continuous monitoring, and regular security assessments. By prioritizing proactive defense strategies, institutions can better protect sensitive information and maintain trust within their communities.